Configuring AAA ························································································································································· 1

Overview ············································································································································································ 1

RADIUS ······································································································································································ 2

HWTACACS ····························································································································································· 7

LDAP ·········································································································································································· 9

AAA implementation on the device ····················································································································· 11

AAA for MPLS L3VPNs ········································································································································· 13

Protocols and standards ······································································································································· 13

RADIUS attributes ·················································································································································· 14

FIPS compliance ····························································································································································· 17

AAA configuration considerations and task list ·········································································································· 17

Configuring AAA schemes ············································································································································ 18

Configuring local users ········································································································································· 18

Configuring RADIUS schemes ······························································································································ 22

Configuring HWTACACS schemes ····················································································································· 30

Configuring LDAP schemes ·································································································································· 36

Configuring AAA methods for ISP domains ················································································································ 39

Configuration prerequisites ·································································································································· 40

Creating an ISP domain ······································································································································· 40

Configuring ISP domain status ····························································································································· 40

Configuring authentication methods for an ISP domain ··················································································· 41

Configuring authorization methods for an ISP domain ····················································································· 42

Configuring accounting methods for an ISP domain ························································································· 43

Enabling the session-control feature ····························································································································· 44

Displaying and maintaining AAA ································································································································ 44

AAA configuration examples ········································································································································ 44

AAA for SSH users by an HWTACACS server ·································································································· 44

Local authentication, HWTACACS authorization, and RADIUS accounting for SSH users ·························· 46

Authentication and authorization for SSH users by a RADIUS server ····························································· 47

Authentication for SSH users by an LDAP server ······························································································· 51

Troubleshooting RADIUS ··············································································································································· 56

RADIUS authentication failure ······························································································································ 56

RADIUS packet delivery failure ···························································································································· 56

RADIUS accounting error ····································································································································· 57

Troubleshooting HWTACACS ······································································································································ 57

Troubleshooting LDAP ···················································································································································· 57

802.1X overview ······················································································································································· 59

802.1X architecture ······················································································································································· 59

Controlled/uncontrolled port and port authorization status ······················································································ 59

802.1X-related protocols ·············································································································································· 60

Packet formats ························································································································································ 61

EAP over RADIUS ·················································································································································· 62

Initiating 802.1X authentication ··································································································································· 62

802.1X client as the initiator································································································································ 62

Access device as the initiator ······························································································································· 63

802.1X authentication procedures ······························································································································ 63

Comparing EAP relay and EAP termination ······································································································· 64

EAP relay ································································································································································ 64